Blogs

Events

Stories

Attention: RHN Hosted will reach the end of its service life on July 31, 2017.
Customers will be required to migrate existing systems to Red Hat Subscription Management prior to this date.
Learn more here

Details

JBoss Enterprise Portal Platform 5.2.2, which fixes multiple securityissues and various bugs, is now available from the Red Hat Customer Portal.

The Red Hat Security Response Team has rated this update as havingimportant security impact. Common Vulnerability Scoring System (CVSS) basescores, which give detailed severity ratings, are available for eachvulnerability from the CVE links in the References section.

JBoss Enterprise Portal Platform is the open source implementation of theJava EE suite of services and Portal services running atop JBoss EnterpriseApplication Platform. It comprises a set of offerings for enterprisecustomers who are looking for pre-configured profiles of JBoss EnterpriseMiddleware components that have been tested and certified together toprovide an integrated experience.

This release of JBoss Enterprise Portal Platform 5.2.2 serves as areplacement for JBoss Enterprise Portal Platform 5.2.1, and includes bugfixes. Refer to the JBoss Enterprise Portal Platform 5.2.2 Release Notesfor information on the most significant of these changes. The Release Noteswill be available shortly from https://access.redhat.com/knowledge/docs/

The following security issues are also fixed with this release:

It was found that the JBoss JNDI service allowed unauthenticated, remotewrite access by default. The JNDI and HA-JNDI services, and theHAJNDIFactory invoker servlet were all affected. A remote attacker able toaccess the JNDI service (port 1099), HA-JNDI service (port 1100), or theHAJNDIFactory invoker servlet on a JBoss server could use this flaw to add,delete, and modify items in the JNDI tree. This could have various,application-specific impacts. (CVE-2011-4605)

A flaw was found in the way the Apache Xerces2 Java Parser processed theSYSTEM identifier in DTDs. A remote attacker could provide aspecially-crafted XML file, which once parsed by an application using theApache Xerces2 Java Parser, would lead to a denial of service (applicationhang due to excessive CPU use). (CVE-2009-2625)

It was found that the JMX Console did not protect against Cross-SiteRequest Forgery (CSRF) attacks. If a remote attacker could trick a user,who was logged into the JMX Console, into visiting a specially-crafted URL,the attacker could perform operations on MBeans, which may lead toarbitrary code execution in the context of the JBoss server process.(CVE-2011-2908)

A flaw was found in the way Apache POI, a Java API for manipulating filescreated with a Microsoft Office application, handled memory when processingcertain Channel Definition Format (CDF) and Compound File Binary Format(CFBF) documents. A remote attacker could provide a specially-crafted CDFor CFBF document to an application using Apache POI, leading to a denial ofservice. (CVE-2012-0213)

When a JBoss server is configured to use JaccAuthorizationRealm, theWebPermissionMapping class creates permissions that are not checked and canpermit access to users without checking their roles. If theignoreBaseDecision property is set to true on JBossWebRealm, the webauthorization process is handled exclusively by JBossAuthorizationEngine,without any input from JBoss Web. This allows any valid user to access anapplication, without needing to be assigned the role specified in theapplication's web.xml "security-constraint" tag. (CVE-2012-1167)

When a JGroups channel is started, the JGroups diagnostics service would beenabled by default with no authentication. This service is exposed via IPmulticast. An attacker on an adjacent network could exploit this flaw toread diagnostics information. (CVE-2012-2377)

Red Hat would like to thank Christian Schlüter (VIADA) for reporting theCVE-2011-4605 issue.

Warning: Before applying this update, back up all applications deployed onJBoss Enterprise Portal Platform, along with all customized configurationfiles, and any databases and database settings.

Solution

The References section of this erratum contains a download link (you mustlog in to download the update). Before applying the update, back up allapplications deployed on JBoss Enterprise Portal Platform, along with allcustomized configuration files, and any databases and database settings.